What Are Botnets? - The Internet Pandemic You Didn't Know
2021 demonstrated a dramatic rise in botnet activities from 35.1% in Q1 to 51.4% in Q3.
Reports from Fortinet attributed this rise to the impact of COVID-19 on online activities. In studying all the detected attacks in 2021, 80% of activities correlate with the top 10 known botnets.
According to reports from Kaspersky, this botnet trend remains the same when the number of DDoS attacks was compared with Q3 of 2020.
In all of the attacks recorded, 40.80% targeted the U.S., with Hong Kong and China following.
These attacks cost businesses up to $6 trillion in 2021 alone, and the 15% annual growth puts it at an estimated $10.5 trillion loss by 2025.
So, how do you prevent botnets from crashing your business?
Here, we'll cover all you need to know about botnets, how to prevent your device from getting infected, and share solutions to keep you safe.
What Is A Botnet?
A botnet is a group of hijacked interconnected devices infected by a common malware to carry out cyberattacks.
The word “botnet" is a combination of "robot” and “network," i.e., attacking system networks with robots. Think of it as a virtual robot army or zombies infecting any and every device they get into.
Each device in the botnet is called a bot—and each bot is controlled by the bot herder.
What Is A Bot Herder?
A bot herder is someone controlling the botnet through specific network actions for the sole purpose of a cyberattack.
These cyberattacks could be from spam emails, phishing attacks, malware distribution, data theft, server crashes, or the most common mode of attack—DDoS attacks.
The mode of attack of botnets is often with an influx of malware-infected devices of unsuspecting victims—all of which form a robot network. With this network, the bot herder initiates a remote system-control protocol that allows him to gain access to your system’s backend.
How Does A Botnet Work?
A botnet works by grouping malware-infected devices into a singular network.
When introduced to the network, these devices become mindless zombies, and unsuspecting victims don’t know their devices are compromised.
Before a botnet can be used to launch an attack, it needs the bot herder to take it through three development stages:
At this stage, the bot herder has a control malware or virus for devices it plans to use.
The command for this malware is simple —“access vulnerable devices of users connected to the internet and take control.” These devices might include your smartphone, PC, tablet, smart TVs, routers, desktops, remotes, thermostats—and every IoT device.
This is because a botnet is only as powerful as the number of infected devices in its network.
Some ways this malware sneaks into your devices include:
- Visiting unsecured websites
- Clicking on fake links
- Social engineering
- Phishing attacks
- Browser cookie exploitation.
- Masked downloads
Once the malware can access your device, it instantly becomes part of a robot network used in a proposed cyber attack.
This stage is about growing the botnet into a larger network of infected devices. The bot herder uses the new infected devices to perform stage one—only this time, it uses a zero-day vulnerability technique.
What is Zero-Day Vulnerability?
A zero-day vulnerability is a security flaw in a device or software system.
This vulnerability leaves loopholes to third-party access to devices and software of its users without their knowledge. Once the bot herder discovers this loophole, it uses the infected device(s) to scan the system and infect similar devices with such loopholes. If left unchecked, this can spread as far as the bot herder decides. What makes this worse: these loopholes aren't discovered until an attack happens—and that might be too late.
Report shows the rise of zero-day malware attacks is going as high as 50%, accounting for half of all cyberattack detection. These attacks aren’t limited to individuals or small businesses; large enterprises have a hard time fighting zero-day attacks.
- 2021 broke a new record with a massive 66 reported zero-day attacks—almost doubling the 2020 total, and more compared to the previous years.
- Zoom had one of the worst zero-day attacks. The platform has a security bug that allows hackers to exploit users' computers running Windows 7 or older.
There are many more reports of this technique used in the infection stage of a botnet attack.
Fun fact: It’s called “zero-day” because it leaves developers zero days to fix it.
Once the number of infected devices is up to the bot herder's requirement, it's time to launch the attack. The first process is remotely taking control of the infected devices and connecting them into a single network. These devices can be controlled by a single bot herder in the tens, thousands, and even millions all at once.
The final process is to send a massive DDoS attack or any other kind of attack to the victim’s network—mostly in a short amount of time to overload the system. But how are bot herders able to control so many devices simultaneously?
This brings us to the mode of botnet control.
Mode of Botnet Control
Devices in a botnet are useless without a command from the bot herder. The preferred approach to this is with a C&C: Command and Control.
The C&C is the central server for sending instructions to all botnets in a network. These instructions are maintained based on the architecture of the botnet. The architecture of botnets is how the infected devices are connected.
There are two models to these connections:
- Client-server (centralized)
- Peer-to-peer (decentralized)
Client-Server Model (Centralized)
The mode of control in the client-server model connects all the botnets to one C&C server run by the bot herder.
- Because this method is centralized, bot herders can communicate to their botnets faster and easier with a single control.
- The con for this mode is the structural weakness in the network and poor anonymity for the bot herder.
Due to the direct connection of the botnets to the central server, authorities can easily identify the original server—and possibly the bot heder’s real location. Once the main server is taken down, the bot herder can no longer communicate with the botnets.
This is what happened when researchers at antivirus firm Avast discovered the Retadup botnet affected 850,000 Windows machines throughout Latin America.
The research exposed a design flaw in centralized the bot herder's main server.
The Avast team and Cybercrime Fighting Center (C3N) of the French National Gendarmerie, joined and proposed a technique to disinfect the devices infected by Retadup. To do this, C3N took control of the main server without alerting the bot herder and replaced it with a disinfection server.
According to Avast, “the disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct.” With this, they were able to disinfect over 850,000 infected devices.
Here’s a tweet from the Gendarmerie Nationale:
After this announcement, the bot herder, @roadblackjoker, claimed responsibility.
At first, the Avast team was unsure of the bot herder's claim, but it ended up being true upon discovering the source code.
“In one case, the authors even responded with a screenshot showing the C&C controller. At first, we had some doubts about the legitimacy of this Twitter account, but after we obtained the source code of Retadup’s C&C components, it became clear that this screenshot, and consequently the Twitter account, were genuine.”
Peer-to-peer Model (Decentralized)
The peer-to-peer (p2p) model provides a decentralized botnet architecture by allowing all infected devices to communicate without a central server.
- Highly secure
- Harder for authorities to detect and takedown
- Communication to other network devices is slower than the client-server model
What makes this model the most preferred approach to botnet attacks is how it uses an overlay network for exchanging commands and controlling data. Since there’s no main server relaying instructions, the bot herder serves an encrypted command set within the network shared by the botnets. This serves as the main firewall preventing authorities from entering the network.
Necurs is a good example of the p2p botnet model used to employ various cyber attacks over the years.
Why all these nicknames? Necurs was recorded as the most disruptive botnet ever, having infected over 9 million computers.
What makes it worse is the absence of a central server and the number of infected devices.
Necurs is believed to have the largest network of spam emails with victims in nearly every country in the world.
In Microsoft’s investigation of the botnet, they found that one infected computer in the Necurs network sent a total of 3.8 million spam emails to over 40.6 million potential victims.
To put an end to the series of attacks from Necrus, Microsoft analyzed the algorithm Necrus used to generate new domains. With this, they could accurately predict 6 million+ unique domains that would be created within the next 25 months and report the domains to their respective registries worldwide.
Microsoft said: "Microsoft is also taking the additional step of partnering with Internet Service Providers (ISPs) and others around the world to rid their customers' computers of malware associated with the Necurs botnet. This remediation effort is global in scale and involves collaboration with industry, government, and law enforcement partners via the Microsoft Cyber Threat Intelligence Program (CTIP). Through CTIP, Microsoft provides law enforcement, government Computer Emergency Response Teams (CERTs), ISPs, and government agencies responsible for the enforcement of cyber laws and the protection of critical infrastructure with better insights into criminal cyber infrastructure located within their jurisdiction, as well as a view of compromised computers and victims impacted by such criminal infrastructure.
We are working with ISPs, domain registries, government CERTs, and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland, and Romania for this disruption. Each of us has a critical role to play in protecting customers and keeping the internet safe."
Further discovery shows the Necrus botnet isn't entirely wiped out, as its asymmetric encryption makes it difficult to put an end to it completely.
Examples of Botnets and Their Attacks
Mirai Botnet Attack
The Mirai Botnet is arguably the largest network of botnets on the internet. This record-setting botnet started in August 2016 and was discovered by a white hat research group called "Malware Must Die.” It’s named after the anime TV series, Mirai Nikki; Mirai means “future.”
Mirai was designed as a widespread malware that scans the internet for vulnerable IoT devices but was also programmed to avoid IP addresses belonging to large corporations and government agencies.
The attack mode follows a login attempt on vulnerable devices by guessing 60 common default passwords and usernames. If this attack fails, it results in using a brute-force login attack.
Once infected, Mirai gains control of the device and blocks all other remote administration ports.
Here’s a visual representation of how the Mirai Botnet works.
At first, once an infected device is turned off, the botnet becomes useless. Upon switching it back on, it takes only a few minutes before it's infected again.
One characteristic of Mirai is how it didn't alter the function of infected devices as they all remained in their normal function. Without a surge in activities, tracking and detecting Mirai-infected devices was difficult.
Due to the underground activity of Mirai, it didn’t get much attention from security agencies and government authorities until its attack on Krebs on Security. Using a distributed DDoS attack, Mirai took Krebs On Security offline for several days, causing Akamai, a CDN provider, to take it off its network.
The attack launched at a speed of 665GBps, costing Akamai to fend off the attack at 620GBps and costing them to lose millions of dollars the longer the malware stayed on their server.
Google came to the rescue by taking on Krebs on Security and initiating the Jigsaw Think Tank Project Shield Program.
According to a recent study from the University of California, Berkeley School of Information, the Mirai attack on Krebs cost device owners an estimated $323,973.75.
Gameover Zeus was a p2p botnet mostly used to steal credentials from public and private financial institutions.
The original components of Gameover Zeus were from Zeus Trojan, a similar malware family that accesses victims' banking information through "keylogging.” This has resulted in over $100 million in account takeovers.
Due to how delicate the botnet was to the banking industry, International Law Enforcement Agencies such as the FBI, NCA, and EC3, plus private partners such as McAfee, CrowdStrike, Dell Secure Works, Symantec, and Trend Micro, created a joint program called Operation Tovar.
With this joint operation, authorities could intercept the hackers when they tried to send a copy of their database to a secure location.
Gameover Zeus and its relative, SpyEye, were shut down via this interception.
How To Prevent Botnet Attack?
There’s no one-size-fits-all solution for preventing botnet attacks. But there are several security protocols device users and manufacturing businesses can implement.
Update Your Software
Lack of software updates on users' end is responsible for a large percentage of cyberattacks through things like botnets.
A 2015 survey by Google discovered 66% of regular users never install software updates compared to 36% of experts.
The most common way devices get infected is through vulnerabilities on the device. As a result, manufacturers regularly release device updates to fix these bugs.
So, it's important to make updating your device software a habit. It’s not only securing your device, but protecting your personal information.
We recommend you check the update section of the software you use and do all required to keep it up to date.
Monitor Unverified Login-in Attempts
Sometimes, you'll get a notification in your mail of a failed login attempt—and perhaps 9 out of 10 times, it's you trying to access your account. But the one time it's not you, don't ignore it, and think it's a mistake.
Once you notice you're getting failed login attempt spikes and alerts, check with your provider and change your password or block the IP address trying to access your information.
Here's an unverified login attempt into a Facebook account.
Download From Trusted Sources
The easiest way for botnets to recruit your device into its network is by creating malware masked as attachments online.
Once you download these attachments—in PDF, image, apps, software, etc.—as long as it's infected, it's only a matter of time before your device is infected. To protect yourself, only trusted sources in accessing any of your attachments and information.
Two-factor Authentication (2FA)
This is an addition to securing your device once you get notified of a failed login attempt.
Using 2FA adds an extra layer of security to your account as it provides a code unique to you alone once there’s a login attempt into your account.
Use An Antivirus Software
Considering the best way your device can be introduced into a botnet is through malware, getting antivirus software is a good option. With antivirus software, you get notified of impending viruses from websites you visit down to attachments you download.
Often, this malware will be prevented or killed, depending on how powerful your antivirus is. Good antivirus software like Avast is recommended to fend off some of the most powerful botnet attacks, like Gameover Zeus.
Avoid Emails In The Spam Folders
Spam emails are the simplest phishing attack to take over a device. When you receive a spam email and go ahead to click on the links inside the mail, you’re putting your device at risk.
Many links in these emails are phishing links that can easily let viruses enter your devices without your knowledge.
Implement a Botnet Detection and Prevention Solution
Your website is prone to visits from regions sometimes beyond your control. A typical DDoS botnet attack from any region might easily cripple your website and crash your server as it did for Krebs on Security.
Investing in botnet prevention and detection solution like Edgemesh provides you with full protection on the front and backend of your website. Unlike other botnet solutions that offer botnet prevention by studying anomalies in your traffic, Edgemesh takes it a step further.
With Edgemesh botnet solution, you can easily prevent and eliminate any bot attack on your website within a matter of minutes. Our solution uses behavioral analysis and machine learning to track all incoming traffic to your website, including clicks, traffic sources, backend lookup, IP monitoring, etc.